Wednesday, April 22, 2015

Health Information Data Security in the Private Sector-Things You Need to Know

In February 2015 (1) and in March 2015 (2), there were two huge security breaches at privately run insurance companies, Anthem Health and Premera Blue Cross of Washington. The former was so significant there has been a legislative review. However, what is missing is the public outcry over the "open window" on your most personal information, because that is essentially what a data breach is; a burglar entering a private company and stealing valuable property. This property belongs to you and only under specific circumstances should you authorize anyone else to have access to this information.

On February 5, 2015, 78.8 million health care records were hacked at Anthem, a Blue Cross Blue Shield affiliate, formerly known as Wellpoint. This means that the social security number, medical history, names, income information and addresses were all compromised. What makes this breach so egregious is unlike getting a new credit card number, changing ones health history is not doable. Additionally, Anthem says between 9 and 20 million people whom were NOT their customers also had medical records compromised. Anthem's fix for the problem was giving hacking victims a subscription for a credit-watch service.

Fast forward to March 17th and Washington State's Premera Blue Cross found itself with it's cyber pants-down as well, posting a data breech for 11 million members. In Premera's security lapse the thieves got away with clinical, social security, birth date, and bank account information. Premera acted quickly to notify customers, but again, it's only fix was to offer a two-year grattice subscription to a credit watch agency. After which, you will of course be hounded by a credit agency to subscribe.

In both of these cases the insurance companies had their customers and people whom were not their customers' data hacked. For a ring side view, my son, who is not a Premera customer and hasn't been one in a decade, received notification of the security problem. In addition, I, who was a Premera customer last year, did not receive a notification, until Premera sent about six notices to everyone whom has ever lived at my residence in the last 15 years. Of course I contacted the insurance company to question this error and was assured they knew what they were doing. But this begs a question, how long can an insurance company legally hold your personal information and what do they do with it? And, are former customers treated with less data hygiene, hence the confusion on who was to receive the notices, addresses, and whose information was tampered. Premera is being sued by at least one person because of this compromise.

Neither of these scenarios are isolated and in fact security experts think many insurance companies may have been breached and they are simply not yet aware of it. Cyber thieves find the medical information so compelling because medical fraud can amount to millions without the contract limits of other insurance contracts.

Since the Affordable Care Act has codified the use of private sector insurance in publicly funded insurance exchanges, the insurance exchange administrators, state health care departments, and state Medicaid Offices are also in various degrees of partnerships with private insurers. Last year, Community Health Plan had a significant data breach. Some states, with grant incentives from provisions of the Affordable Care Act, have undertaken ambitious programs to identify health risks and theoretically improve health for residents through private companies. My son has been called numerous times by United Healthcare, requesting very personal information, both from a live person and from a robot. I have spoken to United Healthcare representatives numerous times and declined to give the information, but to no avail. In fact, even when I requested I be added to the do-not-call list and pointed out the Anthem data breach, I was told by the company representative that she did not think that would stop the calls.

Which brings me to number two-you do not have to provide personal health information to your insurance company, unless it is for use in ajudicating or paying a claim. Generic information to be used for their own surveillance or marketing efforts does not have to be proffered. As a former insurance broker I can assure you that insurance companies collect information for their own purposes and not necessarily to benefit you. In fact, if it wasn't for legal recourse insurance companies would still be discriminating on the basis of race and sexual orientation. The only person you should share your personal medical information with is your doctor or clinician, who has agreed to the hippocratic oath of confidentiality or at the very least, your attorney, whom almost must keep client information confidential. All of the rest of the data requests should be approached with extreme caution. I for one, only share my health information with my doctor, unless there is a question on a claim. I suggest you do the same, because insurance companies pay claims, they don't take care of your health, leave that to your doctor.

And this is the healthpolicymaven signing off encouraging prudence when it comes to sharing your medical information, with private sector, as well as quasi-government entities.

This article was written by Roberta E. Winter, an independent freelance journalist and author of http://www.amazon.com/Unraveling-U-S-Health-Care-Personal/dp/1442222972. Feel free to share it virally and to make proper attribution when citing material from this article. Speaking of viruses, a study of 95,000 medical records finds NO LINK between Autism and the measles, mumps, and rubella vaccine. (3) Thanks for vaccinating parents.